[users@httpd] Re: Fwd: Problem checking signature of httpd, apr, apr-util rpms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Marx,
 Thanks for the quick reply. I'm cc-ing to the apache user's list for
the benefit of others.

On 7/12/06, Apache Security Response Team <security@xxxxxxxxxx> wrote:
Dear Kim Leng Goh:

This is actually a known problem with rpm signature checking.  rpm will
not correctly validate a key where the public key contains signatures.
Therefore you cannot simply rpm --import the httpd KEYS file (or even an
extraction of one key from it).

If you want to import a public key into rpm you need to import a clean
version without signatures.  If this is not provided (as in this case)
then you can only use "rpm --checksig -vv" which will validate the
signature and show you the key used to sign.  Alternatively, upstream
versions of rpm since 4.4.2 are known to fix this issue (unverified).

For gory details see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90952

Thank you, Mark
--
Mark J Cox
Apache Software Foundation

On Wed, 12 Jul 2006, Kim Leng Goh wrote:

> Hi,
>   I'm forwarding my email to the security mailing list as this appears
> to be a security issue. Apologies if this is the wrong place.
>
>
> ---------- Forwarded message ----------
> [...]
> Date: Jul 7, 2006 3:02 PM
> Subject: Problem checking signature of httpd, apr, apr-util rpms
> To: users@xxxxxxxxxxxxxxxx
> Cc: minfrin@xxxxxxxxxx, dev@xxxxxxxxxxxxxx
>
>
> Hi all,
>
>   I encountered some problems with the KEYS at
> http://www.apache.org/dist/httpd/KEYS and
> http://www.apache.org/dist/apr/KEYS with the "rpm --checksig" or "rpm
> -K" command on some of the rpms such as
> http://www.apache.org/dist/httpd/binaries/rpm/SRPMS/httpd-2.0.58-1.src.rpm,
> http://www.apache.org/dist/apr/binaries/rpm/SRPMS/apr-0.9.12-1.src.rpm,
> http://www.apache.org/dist/apr/binaries/rpm/i386/apr-1.2.7-1.i386.rpm
>
> Without importing any public key, I get "NOKEY":
>
> # rpm -K -v httpd-2.0.58-1.src.rpm
> httpd-2.0.58-1.src.rpm:
>     Header V3 DSA signature: NOKEY, key ID 751d7f27
>     Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95)
>     MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216)
>     V3 DSA signature: NOKEY, key ID 751d7f27
>
>
> Using http://www.apache.org/dist/apr/KEYS, I extracted lines 513 to
> 712 of the file into another file "KEYS.2":
>
> # head -712 KEYS|tail -200 > KEYS.2
>
> # rpm --import KEYS.2
>
> # rpm -qa|grep gpg
> ...
> gpg-pubkey-751d7f27-3ddd0dfa
> ...
>
>
> and I get "BAD":
>
> # rpm -K -v httpd-2.0.58-1.src.rpm
> httpd-2.0.58-1.src.rpm:
>     Header V3 DSA signature: BAD, key ID 751d7f27
>     Header SHA1 digest: OK (18af314df2009ad54b2b638ea379f306e1a0bf95)
>     MD5 digest: OK (20168dc0056ecdccc824a5bdef1c9216)
>     V3 DSA signature: BAD, key ID 751d7f27
>
>
> If I use the key from
> http://pgp.mit.edu:11371/pks/lookup?search=0x751D7F27&op=index
> (e.g. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x751D7F27), I
> get f88341d9 as the key ID. Apparently, f88341d9 should belong to Lars
> Eilebrecht.
>
> # rpm --import KEYS.3
> # rpm -qa|grep gpg
> ...
> gpg-pubkey-f88341d9-3ddd3c97
> ...
> gpg-pubkey-751d7f27-3ddd0dfa
>
> Regards,
> KL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-unsubscribe@xxxxxxxxxx
> For additional commands, e-mail: security-help@xxxxxxxxxx
>
>

--



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux